Bump the all-actions group across 1 directory with 9 updates

[dependabot]

Bumps the all-actions group with 9 updates in the / directory:

Package	From	To
actions/checkout	4	5
hyperledger/indy-shared-gha	1	2
dawidd6/action-download-artifact	6	11
peter-evans/repository-dispatch	3	4
actions/download-artifact	4	5
ossf/scorecard-action	2.4.0	2.4.3
github/codeql-action	3	4
actions/setup-python	5	6
peter-evans/create-pull-request	6	7

Updates actions/checkout from 4 to 5

Release notes

Sourced from actions/checkout's releases.

v5.0.0

What's Changed

• Update actions checkout to use node 24 by @​salmanmkc in actions/checkout#2226
• Prepare v5.0.0 release by @​salmanmkc in actions/checkout#2238

⚠️ Minimum Compatible Runner Version

v2.327.1
Release Notes

Make sure your runner is updated to this version or newer to use this release.

Full Changelog: actions/checkout@v4...v5.0.0

v4.3.0

What's Changed

• docs: update README.md by @​motss in actions/checkout#1971
• Add internal repos for checking out multiple repositories by @​mouismail in actions/checkout#1977
• Documentation update - add recommended permissions to Readme by @​benwells in actions/checkout#2043
• Adjust positioning of user email note and permissions heading by @​joshmgross in actions/checkout#2044
• Update README.md by @​nebuk89 in actions/checkout#2194
• Update CODEOWNERS for actions by @​TingluoHuang in actions/checkout#2224
• Update package dependencies by @​salmanmkc in actions/checkout#2236
• Prepare release v4.3.0 by @​salmanmkc in actions/checkout#2237

New Contributors

• @​motss made their first contribution in actions/checkout#1971
• @​mouismail made their first contribution in actions/checkout#1977
• @​benwells made their first contribution in actions/checkout#2043
• @​nebuk89 made their first contribution in actions/checkout#2194
• @​salmanmkc made their first contribution in actions/checkout#2236

Full Changelog: actions/checkout@v4...v4.3.0

v4.2.2

What's Changed

• url-helper.ts now leverages well-known environment variables by @​jww3 in actions/checkout#1941
• Expand unit test coverage for isGhes by @​jww3 in actions/checkout#1946

Full Changelog: actions/checkout@v4.2.1...v4.2.2

v4.2.1

What's Changed

• Check out other refs/* by commit if provided, fall back to ref by @​orhantoy in actions/checkout#1924

New Contributors

• @​Jcambass made their first contribution in actions/checkout#1919

Full Changelog: actions/checkout@v4.2.0...v4.2.1

... (truncated)

Changelog

Sourced from actions/checkout's changelog.

Changelog

V5.0.0

• Update actions checkout to use node 24 by @​salmanmkc in actions/checkout#2226

V4.3.0

• docs: update README.md by @​motss in actions/checkout#1971
• Add internal repos for checking out multiple repositories by @​mouismail in actions/checkout#1977
• Documentation update - add recommended permissions to Readme by @​benwells in actions/checkout#2043
• Adjust positioning of user email note and permissions heading by @​joshmgross in actions/checkout#2044
• Update README.md by @​nebuk89 in actions/checkout#2194
• Update CODEOWNERS for actions by @​TingluoHuang in actions/checkout#2224
• Update package dependencies by @​salmanmkc in actions/checkout#2236

v4.2.2

• url-helper.ts now leverages well-known environment variables by @​jww3 in actions/checkout#1941
• Expand unit test coverage for isGhes by @​jww3 in actions/checkout#1946

v4.2.1

• Check out other refs/* by commit if provided, fall back to ref by @​orhantoy in actions/checkout#1924

v4.2.0

• Add Ref and Commit outputs by @​lucacome in actions/checkout#1180
• Dependency updates by @​dependabot- actions/checkout#1777, actions/checkout#1872

v4.1.7

• Bump the minor-npm-dependencies group across 1 directory with 4 updates by @​dependabot in actions/checkout#1739
• Bump actions/checkout from 3 to 4 by @​dependabot in actions/checkout#1697
• Check out other refs/* by commit by @​orhantoy in actions/checkout#1774
• Pin actions/checkout's own workflows to a known, good, stable version. by @​jww3 in actions/checkout#1776

v4.1.6

• Check platform to set archive extension appropriately by @​cory-miller in actions/checkout#1732

v4.1.5

• Update NPM dependencies by @​cory-miller in actions/checkout#1703
• Bump github/codeql-action from 2 to 3 by @​dependabot in actions/checkout#1694
• Bump actions/setup-node from 1 to 4 by @​dependabot in actions/checkout#1696
• Bump actions/upload-artifact from 2 to 4 by @​dependabot in actions/checkout#1695
• README: Suggest user.email to be 41898282+github-actions[bot]@users.noreply.github.com by @​cory-miller in actions/checkout#1707

v4.1.4

• Disable extensions.worktreeConfig when disabling sparse-checkout by @​jww3 in actions/checkout#1692
• Add dependabot config by @​cory-miller in actions/checkout#1688
• Bump the minor-actions-dependencies group with 2 updates by @​dependabot in actions/checkout#1693
• Bump word-wrap from 1.2.3 to 1.2.5 by @​dependabot in actions/checkout#1643

v4.1.3

... (truncated)

Commits

• 08c6903 Prepare v5.0.0 release (#2238)
• 9f26565 Update actions checkout to use node 24 (#2226)
• See full diff in compare view

Updates hyperledger/indy-shared-gha from 1 to 2

Release notes

Sourced from hyperledger/indy-shared-gha's releases.

v2.0.0

Breaking Changes

Support for Ubuntu 22.04 has been added - use @v2 for Ubuntu 22.04 development. Support for Ubuntu 20.04 has been dropped - use @v1 for Ubuntu 20.04 development

What's Changed

• Add Dependabot configuration by @​WadeBarnes in hyperledger/indy-shared-gha#30
• Feature/ubuntu 22.04 by @​reflectivedevelopment in hyperledger/indy-shared-gha#31

New Contributors

• @​reflectivedevelopment made their first contribution in hyperledger/indy-shared-gha#31

Full Changelog: hyperledger-indy/indy-shared-gha@v1.0.19...v2.0.0

v1.0.19

What's Changed

• Upgrade additional GHA versions by @​WadeBarnes in hyperledger/indy-shared-gha#29

Full Changelog: hyperledger-indy/indy-shared-gha@v1.0.18...v1.0.19

v1.0.18

What's Changed

• Upgrade GHA versions by @​WadeBarnes in hyperledger/indy-shared-gha#28

Full Changelog: hyperledger-indy/indy-shared-gha@v1.0.17...v1.0.18

v1.0.15

What's Changed

• PythonVersionConversion for RepoTriggers by @​pSchlarb in hyperledger/indy-shared-gha#27

Full Changelog: hyperledger-indy/indy-shared-gha@v1.0.14...v1.0.15

v1.0.14

What's Changed

• Revert "fixed python package build in container" by @​pSchlarb in hyperledger/indy-shared-gha#26

Full Changelog: hyperledger-indy/indy-shared-gha@v1.0.13...v1.0.14

v1.0.13

What's Changed

• Updated actions by @​pSchlarb in hyperledger/indy-shared-gha#24
• Enforced LF by @​pSchlarb in hyperledger/indy-shared-gha#25

Full Changelog: hyperledger-indy/indy-shared-gha@v1...v1.0.13

... (truncated)

Commits

• e5112c6 Merge branch 'main' of https://github.com/hyperledger/indy-shared-gha
• 170ee46 Fix Python install issue (#34)
• 27cca25 Fix Python install issue
• bb74bf3 Ensure GHA jobs are running with Python 3.10 (#33)
• 333e0b3 Bump hyperledger/indy-shared-gha from 1 to 2 in the all-actions group
• 9c5672c chore: bump ubuntu version
• 86613ab chore: upgrade to ubuntu-22.04
• 9c9d891 Add Dependabot configuration
• See full diff in compare view

Updates dawidd6/action-download-artifact from 6 to 11

Release notes

Sourced from dawidd6/action-download-artifact's releases.

v11

Full Changelog: dawidd6/action-download-artifact@v10...v11

v10

What's Changed

• Fix the download-commit test to actually look for a commit by @​mstorsjo in dawidd6/action-download-artifact#330
• Add the option "ref", specifying either a commit or a branch by @​mstorsjo in dawidd6/action-download-artifact#329

New Contributors

• @​mstorsjo made their first contribution in dawidd6/action-download-artifact#330

Full Changelog: dawidd6/action-download-artifact@v9...v10

v9

What's Changed

• add merge_multiple option by @​timostroehlein in dawidd6/action-download-artifact#327

New Contributors

• @​timostroehlein made their first contribution in dawidd6/action-download-artifact#327

Full Changelog: dawidd6/action-download-artifact@v8...v9

v8

New features

• use_unzip boolean input (defaulting to false) - if set to true, the action will use system provided unzip utility for unpacking downloaded artifact(s) (note that the action will first download the .zip artifact file, then unpack it and remove the .zip file)

What's Changed

• README: v7 by @​haines in dawidd6/action-download-artifact#318
• Unzip by @​dawidd6 in dawidd6/action-download-artifact#325

New Contributors

• @​haines made their first contribution in dawidd6/action-download-artifact#318

Full Changelog: dawidd6/action-download-artifact@v7...v8

v7

What's Changed

• build(deps): bump fast-xml-parser from 4.4.0 to 4.4.1 by @​dependabot in dawidd6/action-download-artifact#299
• build(deps): bump @​actions/artifact from 2.1.7 to 2.1.9 by @​dependabot in dawidd6/action-download-artifact#300
• build(deps): bump adm-zip from 0.5.14 to 0.5.15 by @​dependabot in dawidd6/action-download-artifact#301
• build(deps): bump adm-zip from 0.5.15 to 0.5.16 by @​dependabot in dawidd6/action-download-artifact#306
• build(deps): bump path-to-regexp from 6.2.2 to 6.3.0 by @​dependabot in dawidd6/action-download-artifact#307
• build(deps): bump @​actions/artifact from 2.1.9 to 2.1.10 by @​dependabot in dawidd6/action-download-artifact#311
• build(deps): bump @​actions/core from 1.10.1 to 1.11.0 by @​dependabot in dawidd6/action-download-artifact#310
• build(deps): bump @​actions/core from 1.11.0 to 1.11.1 by @​dependabot in dawidd6/action-download-artifact#312
• build(deps): bump @​actions/artifact from 2.1.10 to 2.1.11 by @​dependabot in dawidd6/action-download-artifact#313
• build(deps): Fix cross-spawn >=7.0.0 <= 7.0.5 vulnerability by @​alexcouret in dawidd6/action-download-artifact#317

New Contributors

• @​alexcouret made their first contribution in dawidd6/action-download-artifact#317

... (truncated)

Commits

• ac66b43 node_modules: upgrade
• 9b54a0a Update README.md
• 4c1e823 Add the option "ref", specifying either a commit or a branch (#329)
• a708c3c Fix the download-commit test to actually look for a commit (#330)
• 19f6be5 Update README.md
• 07ab29f add merge_multiple option (#327)
• 20319c5 README: v8
• e58a9e5 Unzip (#325)
• 6d05268 node_modules: update
• c03fb0c README: v7 (#318)
• Additional commits viewable in compare view

Updates peter-evans/repository-dispatch from 3 to 4

Release notes

Sourced from peter-evans/repository-dispatch's releases.

Repository Dispatch v4.0.0

⚙️ Requires Actions Runner v2.327.1 or later if you are using a self-hosted runner for Node 24 support.

What's Changed

• build(deps-dev): bump @​types/node from 18.19.8 to 18.19.10 by @​dependabot[bot] in peter-evans/repository-dispatch#306
• build(deps): bump peter-evans/repository-dispatch from 2 to 3 by @​dependabot[bot] in peter-evans/repository-dispatch#307
• build(deps-dev): bump @​types/node from 18.19.10 to 18.19.14 by @​dependabot[bot] in peter-evans/repository-dispatch#308
• build(deps): bump peter-evans/create-pull-request from 5 to 6 by @​dependabot[bot] in peter-evans/repository-dispatch#310
• build(deps): bump peter-evans/slash-command-dispatch from 3 to 4 by @​dependabot[bot] in peter-evans/repository-dispatch#309
• build(deps-dev): bump @​types/node from 18.19.14 to 18.19.15 by @​dependabot[bot] in peter-evans/repository-dispatch#311
• build(deps-dev): bump prettier from 3.2.4 to 3.2.5 by @​dependabot[bot] in peter-evans/repository-dispatch#312
• build(deps-dev): bump @​types/node from 18.19.15 to 18.19.17 by @​dependabot[bot] in peter-evans/repository-dispatch#313
• build(deps-dev): bump @​types/node from 18.19.17 to 18.19.18 by @​dependabot[bot] in peter-evans/repository-dispatch#314
• build(deps-dev): bump eslint-plugin-github from 4.10.1 to 4.10.2 by @​dependabot[bot] in peter-evans/repository-dispatch#316
• build(deps-dev): bump @​types/node from 18.19.18 to 18.19.21 by @​dependabot[bot] in peter-evans/repository-dispatch#317
• build(deps-dev): bump eslint from 8.56.0 to 8.57.0 by @​dependabot[bot] in peter-evans/repository-dispatch#318
• build(deps-dev): bump @​types/node from 18.19.21 to 18.19.22 by @​dependabot[bot] in peter-evans/repository-dispatch#319
• build(deps-dev): bump @​types/node from 18.19.22 to 18.19.24 by @​dependabot[bot] in peter-evans/repository-dispatch#320
• build(deps-dev): bump @​types/node from 18.19.24 to 18.19.26 by @​dependabot[bot] in peter-evans/repository-dispatch#321
• build(deps-dev): bump @​types/node from 18.19.26 to 18.19.29 by @​dependabot[bot] in peter-evans/repository-dispatch#322
• build(deps-dev): bump @​types/node from 18.19.29 to 18.19.31 by @​dependabot[bot] in peter-evans/repository-dispatch#323
• build(deps-dev): bump @​types/node from 18.19.31 to 18.19.33 by @​dependabot[bot] in peter-evans/repository-dispatch#324
• build(deps-dev): bump @​types/node from 18.19.33 to 18.19.34 by @​dependabot[bot] in peter-evans/repository-dispatch#325
• build(deps-dev): bump prettier from 3.2.5 to 3.3.1 by @​dependabot[bot] in peter-evans/repository-dispatch#326
• build(deps-dev): bump prettier from 3.3.1 to 3.3.2 by @​dependabot[bot] in peter-evans/repository-dispatch#327
• build(deps-dev): bump braces from 3.0.2 to 3.0.3 by @​dependabot[bot] in peter-evans/repository-dispatch#328
• build(deps-dev): bump ws from 7.5.9 to 7.5.10 by @​dependabot[bot] in peter-evans/repository-dispatch#329
• build(deps-dev): bump @​types/node from 18.19.34 to 18.19.38 by @​dependabot[bot] in peter-evans/repository-dispatch#330
• build(deps-dev): bump @​types/node from 18.19.38 to 18.19.39 by @​dependabot[bot] in peter-evans/repository-dispatch#332
• build(deps-dev): bump prettier from 3.3.2 to 3.3.3 by @​dependabot[bot] in peter-evans/repository-dispatch#334
• build(deps-dev): bump @​types/node from 18.19.39 to 18.19.41 by @​dependabot[bot] in peter-evans/repository-dispatch#335
• build(deps-dev): bump eslint-plugin-prettier from 5.1.3 to 5.2.1 by @​dependabot[bot] in peter-evans/repository-dispatch#336
• build(deps-dev): bump @​types/node from 18.19.41 to 18.19.42 by @​dependabot[bot] in peter-evans/repository-dispatch#337
• build(deps-dev): bump @​types/node from 18.19.42 to 18.19.43 by @​dependabot[bot] in peter-evans/repository-dispatch#338
• build(deps-dev): bump @​types/node from 18.19.43 to 18.19.44 by @​dependabot[bot] in peter-evans/repository-dispatch#339
• build(deps-dev): bump @​types/node from 18.19.44 to 18.19.45 by @​dependabot[bot] in peter-evans/repository-dispatch#340
• build(deps-dev): bump @​types/node from 18.19.45 to 18.19.47 by @​dependabot[bot] in peter-evans/repository-dispatch#341
• build(deps-dev): bump @​types/node from 18.19.47 to 18.19.50 by @​dependabot[bot] in peter-evans/repository-dispatch#343
• build(deps): bump peter-evans/create-pull-request from 6 to 7 by @​dependabot[bot] in peter-evans/repository-dispatch#342
• build(deps-dev): bump eslint from 8.57.0 to 8.57.1 by @​dependabot[bot] in peter-evans/repository-dispatch#344
• build(deps-dev): bump @​types/node from 18.19.50 to 18.19.53 by @​dependabot[bot] in peter-evans/repository-dispatch#345
• build(deps-dev): bump @​vercel/ncc from 0.38.1 to 0.38.2 by @​dependabot[bot] in peter-evans/repository-dispatch#346
• Update distribution by @​actions-bot in peter-evans/repository-dispatch#347
• build(deps): bump @​actions/core from 1.10.1 to 1.11.0 by @​dependabot[bot] in peter-evans/repository-dispatch#349
• build(deps-dev): bump @​types/node from 18.19.53 to 18.19.54 by @​dependabot[bot] in peter-evans/repository-dispatch#348
• Update distribution by @​actions-bot in peter-evans/repository-dispatch#350
• build(deps): bump @​actions/core from 1.11.0 to 1.11.1 by @​dependabot[bot] in peter-evans/repository-dispatch#351
• build(deps-dev): bump @​types/node from 18.19.54 to 18.19.55 by @​dependabot[bot] in peter-evans/repository-dispatch#352
• Update distribution by @​actions-bot in peter-evans/repository-dispatch#353
• build(deps-dev): bump @​types/node from 18.19.55 to 18.19.56 by @​dependabot[bot] in peter-evans/repository-dispatch#354

... (truncated)

Commits

• 5fc4efd docs: update readme
• a628c95 feat: v4 (#427)
• de78ac1 build(deps-dev): bump @​vercel/ncc from 0.38.3 to 0.38.4 (#425)
• f49fa7f build(deps-dev): bump @​types/node from 18.19.124 to 18.19.127 (#426)
• 7279ea0 build(deps): bump actions/setup-node from 4 to 5 (#424)
• 9658fce build(deps-dev): bump @​types/node from 18.19.123 to 18.19.124 (#423)
• 0ee9de0 build(deps-dev): bump @​types/node from 18.19.121 to 18.19.123 (#422)
• e9bb007 build(deps): bump actions/checkout from 4 to 5 (#421)
• 0e731dc build(deps-dev): bump eslint-plugin-prettier from 5.5.3 to 5.5.4 (#420)
• 62b4729 build(deps): bump actions/download-artifact from 4 to 5 (#419)
• Additional commits viewable in compare view

Updates actions/download-artifact from 4 to 5

Release notes

Sourced from actions/download-artifact's releases.

v5.0.0

What's Changed

• Update README.md by @​nebuk89 in actions/download-artifact#407
• BREAKING fix: inconsistent path behavior for single artifact downloads by ID by @​GrantBirki in actions/download-artifact#416

v5.0.0

🚨 Breaking Change

This release fixes an inconsistency in path behavior for single artifact downloads by ID. If you're downloading single artifacts by ID, the output path may change.

What Changed

Previously, single artifact downloads behaved differently depending on how you specified the artifact:

• By name: name: my-artifact → extracted to path/ (direct)
• By ID: artifact-ids: 12345 → extracted to path/my-artifact/ (nested)

Now both methods are consistent:

• By name: name: my-artifact → extracted to path/ (unchanged)
• By ID: artifact-ids: 12345 → extracted to path/ (fixed - now direct)

Migration Guide

✅ No Action Needed If:

• You download artifacts by name
• You download multiple artifacts by ID
• You already use merge-multiple: true as a workaround

⚠️ Action Required If:

You download single artifacts by ID and your workflows expect the nested directory structure.

Before v5 (nested structure):

- uses: actions/download-artifact@v4
  with:
    artifact-ids: 12345
    path: dist
# Files were in: dist/my-artifact/

Where my-artifact is the name of the artifact you previously uploaded

To maintain old behavior (if needed):

</tr></table> 

... (truncated)

Commits

• 634f93c Merge pull request #416 from actions/single-artifact-id-download-path
• b19ff43 refactor: resolve download path correctly in artifact download tests (mainly ...
• e262cbe bundle dist
• bff23f9 update docs
• fff8c14 fix download path logic when downloading a single artifact by id
• 448e3f8 Merge pull request #407 from actions/nebuk89-patch-1
• 47225c4 Update README.md
• See full diff in compare view

Updates ossf/scorecard-action from 2.4.0 to 2.4.3

Release notes

Sourced from ossf/scorecard-action's releases.

v2.4.3

What's Changed

This update bumps the Scorecard version to the v5.3.0 release. For a complete list of changes, please refer to the Scorecard v5.3.0 release notes.

Documentation

• docs: clarify GITHUB_TOKEN permissions needed for private repos by @​pankajtaneja5 in ossf/scorecard-action#1574
• 📖 Fix recommended command to test the image in development by @​deivid-rodriguez in ossf/scorecard-action#1583

Other

• add missing top-level token permissions to workflows by @​timothyklee in ossf/scorecard-action#1566
• setup codeowners for requesting reviews by @​spencerschrock in ossf/scorecard-action#1576
• 🌱 Improve printing options by @​deivid-rodriguez in ossf/scorecard-action#1584

New Contributors

• @​timothyklee made their first contribution in ossf/scorecard-action#1566
• @​pankajtaneja5 made their first contribution in ossf/scorecard-action#1574
• @​deivid-rodriguez made their first contribution in ossf/scorecard-action#1584

Full Changelog: ossf/scorecard-action@v2.4.2...v2.4.3

v2.4.2

What's Changed

This update bumps the Scorecard version to the v5.2.1 release. For a complete list of changes, please refer to the Scorecard v5.2.0 and v5.2.1 release notes.

Full Changelog: ossf/scorecard-action@v2.4.1...v2.4.2

v2.4.1

What's Changed

• This update bumps the Scorecard version to the v5.1.1 release. For a complete list of changes, please refer to the v5.1.0 and v5.1.1 release notes.
• Publishing results now uses half the API quota as before. The exact savings depends on the repository in question.
  • use Scorecard library entrypoint instead of Cobra hooking by @​spencerschrock in ossf/scorecard-action#1423
• Some errors were made into annotations to make them more visible
  • Make default branch error more prominent by @​jsoref in ossf/scorecard-action#1459
• There is now an optional file_mode input which controls how repository files are fetched from GitHub. The default is archive, but git produces the most accurate results for repositories with .gitattributes files at the cost of analysis speed.
  • add input for specifying --file-mode by @​spencerschrock in ossf/scorecard-action#1509
• The underlying container for the action is now hosted on GitHub Container Registry. There should be no functional changes.
  • 🌱 publish docker images to GitHub Container Registry by @​spencerschrock in ossf/scorecard-action#1453

Docs

• Installation docs update by @​JeremiahAHoward in ossf/scorecard-action#1416

New Contributors

• @​JeremiahAHoward made their first contribution in ossf/scorecard-action#1416
• @​jsoref made their first contribution in ossf/scorecard-action#1459 Full Changelog: ossf/scorecard-action@v2.4.0...v2.4.1

Commits

• 4eaacf0 bump docker to ghcr v2.4.3 (#1587)
• 42e3a01 🌱 Bump the github-actions group with 3 updates (#1585)
• 88c07ac 🌱 Bump github.com/sigstore/cosign/v2 from 2.5.2 to 2.6.0 (#1579)
• 6c690f2 Bump github.com/ossf/scorecard/v5 from v5.2.1 to v5.3.0 (#1586)
• 92083b5 📖 Fix recommended command to test the image in development (#1583)
• 7975ea6 🌱 Bump the docker-images group across 1 directory with 2 updates (#1...
• 0d1a743 🌱 Bump github.com/spf13/cobra from 1.9.1 to 1.10.1 (#1575)
• 46e6e0c 🌱 Bump the github-actions group with 2 updates (#1580)
• c3f1350 🌱 Improve printing options (#1584)
• 43e475b 🌱 Bump golang.org/x/net from 0.42.0 to 0.44.0 (#1578)
• Additional commits viewable in compare view

Updates github/codeql-action from 3 to 4

Release notes

Sourced from github/codeql-action's releases.

v3.30.8

CodeQL Action Changelog

See the releases page for the relevant changes to the CodeQL CLI and language packs.

3.30.8 - 10 Oct 2025

No user facing changes.

See the full CHANGELOG.md for more information.

v3.30.7

CodeQL Action Changelog

See the releases page for the relevant changes to the CodeQL CLI and language packs.

3.30.7 - 06 Oct 2025

No user facing changes.

See the full CHANGELOG.md for more information.

v3.30.6

CodeQL Action Changelog

See the releases page for the relevant changes to the CodeQL CLI and language packs.

3.30.6 - 02 Oct 2025

• Update default CodeQL bundle version to 2.23.2. #3168

See the full CHANGELOG.md for more information.

v3.30.5

CodeQL Action Changelog

See the releases page for the relevant changes to the CodeQL CLI and language packs.

3.30.5 - 26 Sep 2025

• We fixed a bug that was introduced in 3.30.4 with upload-sarif which resulted in files without a .sarif extension not getting uploaded. #3160

See the full CHANGELOG.md for more information.

v3.30.4

CodeQL Action Changelog

See the releases page for the relevant changes to the CodeQL CLI and language packs.

3.30.4 - 25 Sep 2025

... (truncated)

Changelog

Sourced from github/codeql-action's changelog.

3.29.4 - 23 Jul 2025

No user facing changes.

3.29.3 - 21 Jul 2025

No user facing changes.

3.29.2 - 30 Jun 2025

• Experimental: When the quality-queries input for the init action is provided with an argument, separate .quality.sarif files are produced and uploaded for each language with the results of the specified queries. Do not use this in production as it is part of an internal experiment and subject to change at any time. #2935

3.29.1 - 27 Jun 2025

• Fix bug in PR analysis where user-provided include query filter fails to exclude non-included queries. #2938
• Update default CodeQL bundle version to 2.22.1. #2950

3.29.0 - 11 Jun 2025

• Update default CodeQL bundle version to 2.22.0. #2925
• Bump minimum CodeQL bundle version to 2.16.6. #2912

3.28.21 - 28 July 2025

No user facing changes.

3.28.20 - 21 July 2025

• Remove support for combining SARIF files from a single upload for GHES 3.18, see the changelog post. #2959

3.28.19 - 03 Jun 2025

• The CodeQL Action no longer includes its own copy of the extractor for the actions language, which is currently in public preview. The actions extractor has been included in the CodeQL CLI since v2.20.6. If your workflow has enabled the actions language and you have pinned your tools: property to a specific version of the CodeQL CLI earlier than v2.20.6, you will need to update to at least CodeQL v2.20.6 or disable actions analysis.
• Update default CodeQL bundle version to 2.21.4. #2910

3.28.18 - 16 May 2025

• Update default CodeQL bundle version to 2.21.3. #2893
• Skip validating SARIF produced by CodeQL for improved performance. #2894
• The number of threads and amount of RAM used by CodeQL can now be set via the CODEQL_THREADS and CODEQL_RAM runner environment variables. If set, these environment variables override the threads and ram inputs respectively. #2891

3.28.17 - 02 May 2025

• Update default CodeQL bundle version to 2.21.2. #2872

3.28.16 - 23 Apr 2025

... (truncated)

Commits

• a841c54 Scratch uploadSpecifiedFiles tests, make uploadPayload tests instead
• aeb12f6 Merge branch 'main' into redsun82/skip-sarif-upload-tests
• 6fd4ceb Merge pull request #3189 from github/henrymercer/download-codeql-rate-limit
• 196a3e5 Merge pull request #3188 from github/mbg/telemetry/partial-config
• 98abb87 Add configuration error for rate limited CodeQL download
• bdd2cdf Also include language in error status report for start-proxy, if availableDescription has been truncated

[dependabot]

Looks like these dependencies are updatable in another way, so this is no longer needed.